You are currently viewing UAC-0099’s New Weapon: The WinRAR Exploit You Can’t Ignore

UAC-0099’s New Weapon: The WinRAR Exploit You Can’t Ignore

Executive Summary

A critical vulnerability in WinRAR, identified as CVE-2023-38831, is being actively exploited by threat actors to execute arbitrary code on a victim’s machine. This flaw allows attackers to craft malicious ZIP archives that can deliver malware when a user attempts to view a seemingly benign file. This vulnerability has been used in targeted attacks, and immediate patching is crucial to prevent compromise.

Background on WinRAR

WinRAR is a widely used file archiver utility for Windows. Its ability to create and view archives in various formats, such as RAR and ZIP, has made it a popular tool for both personal and professional use. This widespread adoption makes it a high-value target for cyber attackers seeking to distribute malware.

Vulnerability Details

  • CVE-ID: CVE-2023-38831.
  • CVSS Score: 7.8 (High).
  • EPSS Score: 93.65
  • Vulnerability Type: Insufficient Verification of Data Authenticity.
  • Affected Software: WinRAR versions prior to 6.23.

Infection Method

The malware leverages the vulnerability through a multi-step attack chain:

  1. Initial Access: Attackers craft a malicious ZIP archive containing a benign file (e.g., a PDF or JPG) and a folder with the same name.
  2. Exploitation: When a user opens the archive and double-clicks the benign-looking file, the vulnerability is triggered.
  3. Script Execution: Instead of opening the benign file, WinRAR is tricked into executing a script or executable within the specially named folder.
  4. Payload Delivery: The executed script then downloads and installs the primary malware payload, such as MATCHBOIL, MATCHWOK, or DRAGSTARE.
  5. Persistence: The malware establishes persistence on the infected system, often through scheduled tasks.

Malware Behavior and Capabilities

The malware delivered through this exploit exhibits a range of malicious capabilities, including:

  • Backdoor Access: Provides the attacker with remote control over the compromised system.
  • Credential Theft: Steals sensitive information, including login credentials from web browsers.
  • Data Exfiltration: Collects and exfiltrates files with specific extensions, such as “.docx,” “.pdf,” and “.xls.”
  • Command Execution: Executes arbitrary PowerShell commands received from a command-and-control server.

Techniques Include

The observed attack activities align with several MITRE ATT&CK techniques:

T1020 – Automated Exfiltration: Used by DRAGSTARE to steal files and exfiltrate sensitive data from the victim’s system.

T1566.001 – Phishing: Spearphishing Attachment: Used for initial access via malicious HTA, LNK, and archive file attachments.

T1059.001 – Command and Scripting Interpreter: PowerShell: Used to execute obfuscated PowerShell commands embedded by the MATCHWOK backdoor.

T1053 – Scheduled Task/Job: Scheduled Task: Used for persistence by creating scheduled tasks that execute the malware payloads.

T1027 – Obfuscated Files or Information: Employed by UAC-0099 to evade detection through obfuscated VBScript and PowerShell scripts.

T1105 – Ingress Tool Transfer: Downloading additional payloads such as MATCHWOK and DRAGSTARE from command-and-control servers.

Impact

  • Remote takeover of the affected device.
  • Unauthorized access to sensitive personal and corporate data.
  • Lateral movement within corporate networks.
  • Potential for widespread malware infections.

Mitigation Steps

  1. Patch Software: Update WinRAR to version 6.23 or a later version.
  2. Isolate Devices: If patching is not immediately possible, consider restricting the use of WinRAR on critical systems.
  3. Threat Hunting:
    • Monitor for suspicious processes originating from WinRAR.
    • Look for unusual network traffic to known malicious domains or IPs.
  4. IOC Monitoring: Leverage indicators of compromise (IOCs) associated with malware families like MATCHBOIL and DRAGSTARE for early detection.
  5. User Awareness: Educate users about the risks of opening attachments from untrusted sources, even if they appear to be harmless documents.

Instantly Fix Risks with Secure Patches Inc.

Secure Patches Inc. offers a continuous, automated solution to address risks exploited in the wild. It supports a wide range of third-party applications across Windows, macOS, and Linux, ensuring that your systems are protected against the latest threats.